Time for You to Teach Security to End Users

You all had some awesome suggestions to make this security class a success! Below, you will find the PowerPoint that you can use to host your own user security class. Each slide has some additional notes at the bottom.

40 minute sessions work really well for my staff. That is long enough to go into detail for the big issues but short enough that we don’t bog down in technical stuff/cover too much too fast.

Talking about security without a computer is like learning to drive from a book. Get everyone in front of a computer for your class. These notes have several mini-labs built into them.

Your audience may be hostile. Most of my staff are teachers – who have to give up a planning period to attend a security meeting. Use any cheap trick that you can to sweeten them up. Food, dry humor, promises that you don’t intend to keep.

Keep it fun and practical. Ad blockers can stop drive by malware but your staff will be more excited that it can stop auto-playing video ads.

Planning your own class? Any other suggestions on what to teach or the best way to teach it? Let me know in the comments below.

08/15/17

Six weeks from now, I will be teaching a series of security classes to 800 end users. I want to know what you think every staff member should know about security.

Users are often the weakest link in our environment. Your staff and mine could benefit from additional training. After this class wraps up, I will be posting all of the materials so that you can teach your own class quickly! This will include the presentation, speaking notes, attempted jokes, and any labs that we do. This class format will be mostly instructor led/lab based (every attendee will have a computer). Total time per class is about an hour max.

Why you didn’t win one million dollars from an email – AKA Phishing and Spam

Why IT will never tell you to enter your password on a Google form – AKA Phishing websites

Using ad blockers

Why you are not an administrator (and neither am I)

Updates really do matter

How to not install a virus

Ransomware

Macros

Detailed graph showing virus/download button correlation

What am I missing? What do you wish your staff knew? Should topics like MFA or encryption be covered? This class is still very much in flux (materials will probably start sounding more professional). Although it can be a bit technical, it should stay fun and memorable.

This page will be updated with your ideas and as the materials come together.

Maybe, just maybe, you can start your presentation with a little ‘show’. walk in. start your pc. think, think, think… forgot your password. turn around the keyboard and there it is written. your mothers name. then start the emailprogram and click at every link you can find. then the phone is ringing and there is an interviewer asking you personal questions (also your mothersname off course). Then wrap up with all the issues which were wrong. point them out to the people.
In this way it is more then just loose ends… your present a story which will stick (I think)

When we do talks like this we start by asking people to fill out a questionnaire asking for there company login and password details there social media names, mother maiden name and favourite pet. you would be surprised how many people fill it out without question… good way to get the importance of the basics over.

I’d show them https://haveibeenpwned.com – betcha enough people will have had data exposed in the breaches tallied there to get their attention.

And I’d keep the names as is, or at least that same informal tone, rather than turn them into stale “professional” sounding titles – “let’s talk about this as human beings so we don’t get blasted” is far more likely to have an impact I’d have thought.

And I’d explicitly discuss the balance between security and making life more difficult and those occasions when attempts to secure things (forced password changes after time period X and.or password complexity rules which are beyond the pale ) actually may lead to weaker outcomes like reuse or writing down. No sense sweeping it under the carpet and finger wagging “just don’t do that”.

If I were to create an IT Security training, I would try to first impress my audience. My strategy would be to show them some articles and examples of how critical and how deep in our daily lives IT Security is. I subscribe to Help Net Security’s feed and they’ve got some great articles that could grab the attention of your audience. Some examples:

I try and stress that just because you recognize the sender of the email doesn’t mean you should automatically click on the link they are sending you. If you think it is odd that your coworker wants you to click on a link or shared a document with you then you should call the person to verify that they actually sent you the message and they were not hacked. We also encourage the use of Duo two factor authentication for direct deposit and tax information.

A couple of points might be helpful:
1.I think most people get MFA–their online banking systems use it–but they don’t necessarily put it together that email phishing is so dangerous because it defeats MFA. If the bad guys have your email account, they can get around most MFA protection.
2. Explain the importance of multi-layered security. A/V, A/M, firewalls, content filtering, spam filtering, IPS, log review, endpoint encryption, actively managed SOC, user training, user re-training, all go together and all are necessary. The end-user part of it is no less important than the firewall.

Windows/Microsoft Patch Management – if it is done by information systems or if you have to do it. Why it is important. Even if it is controlled by IS in your organization, you should still patch your home computers as well – especially if your organization allows jump/thumb drives. I know at my organization I still have people that complain that their computers rebooted after updates and they want to control when it happens. If that were the case, we’d probably have ransomware attacks.

To go along with the securing passwords, would you ever lock your house and then leave a note on the front door telling you that the key is under the flower pot? We see it all too often, walk into a classroom and the teacher has a list of usernames and passwords posted on the monitor, or on the wall beside the monitor.

Some folks get scared of password managers (are you recommending one, or licensing one for them?) and no-one can remember dozens of correcthorsebatterystaples. I’d far rather a user have a unique and lengthy random password written down in their diary (maybe lightly obfuscated) than have a common password used across multiple sites. Post-it note passwords pariahs should be burned however.

I try and encourage users to improve their home account data security as let’s face it – they care much more about their own stuff. Simple way to encourage unique passwords is to have them easily accessible (eg. a paper address book tucked in the bookcase). The chances of this notebook being breached are far less likely than an online breach of one of the dodgy websites they have registered for.